CentOS SElinux How to: Part 1, Theory and basics

May be the first thing you learn, when you start working with SELinux – is how to disable it and forget about it. This is done to simplify service deployment like Asterisk, Zabbix, WordPress and so on, and we don’t think about the reasons why SELinux is included in default minimal install of CentOS. So, what are we turning off, anyway?

Security-Enhanced Linux (SELinux) is an implementation of a mandatory access control (MAC) mechanism in the Linux kernel, checking for allowed operations after standard discretionary access controls (DAC) are checked. It was created by the National Secuгity Agency and can enforce rules on files and processes in a Linux system, and on their actions, based on defined policies. This seems rather complicated and confusing, but mastering this topic will help to greatly increase security of installations, providing an additional level of security. Before we begin using it, let’s understand some basic concepts and find the answers to these questions – How does SELinux help to enforce security, and why we don’t need to turn in off?

This article is the first in the series of CentOS SELinux How To, that guides you from theory and basics to advanced operations and troubleshooting SELinux.

Part 2

Part 3

CentOS SElinux How to: Why do we need it running

The type of the access control Linux uses by default is called DAC – Discretionary Access Control. It is based on the User or Group security context. What does it mean? That is simple – you grant privileges and access rights to the user or a group. Every file in the basic security mode has three entities: User, Group, Other – and each of the entity have its own combination of basic rights: read, write and execute. So, for example, create a user TestUser01. Create a file in the home folder of that user. Use ls command to show permissions:

PowerShell

1

2

3

4

5

6

[TestUser01@HQ-VC-Selinux01~]$touch testfile

[TestUser01@HQ-VC-Selinux01~]$ls-ltestfile

-rw-rw-r--.1TestUser01 TestUser010Nov1314:11testfile

[TestUser01@HQ-VC-Selinux01~]$chmod777testfile

[TestUser01@HQ-VC-Selinux01~]$ls-ltestfile

-rwxrwxrwx.1TestUser01 TestUser010Nov1314:11testfile

As you can see, TestUser01 is the owner of the file, and can grant access to it to every user… or everyone. Also he can change the owner of the file. These actions can expose your files and folders to unwanted users or processes, and that is a big security flaw. Yes, it is possible to make the TestUser01 account and it’s files more secure, but you can’t do it for all files in the system.

Next – if TestUser01 runs a program, it will inherit all the rights given to the user. And there is no way to isolate the environment of the program from the user security context. If a program will be compromised (infected by a virus, for example) – the user files will also be compromised, and that leads to another security flaw of traditional access control system. Consider a program, that runs in the user context – the program will have the right to change permissions and owners of user files.

DAC makes a decision based on user ownership, and there is no way to fine-tune access control to take in account the role of the user or a program and their functions. That is where SELinux comes into play. SELinux is an addition to traditional access control system, that works after DAC and helps to make security rights more precise. SELinux isolates processes in the logical unit called Domain, and processes can interact only with strictly defined domains and files or file types. This prevents a an attacker from taking control over the whole system or whole user context after compromising the process. And before we dive into the basics and terminology, let’s learn how to turn it on and off and how to check status of SELinux

CentOS SElinux How to: Enable/disable and check status

First, let’s check the status by issuing the sestatus command:

PowerShell

1

2

[root@HQ-VC-Selinux01~]# sestatus

SELinux status:disabled

Or use the getenforce utility:

PowerShell

1

2

[root@HQ-VC-Selinux01~]# getenforce

Disabled

Now let’s set SELinux to Permissive mode – SELinux will be enabled, but will only log actions instead of taking them. We will do it by editing the main configuration file (and we will explain every option a bit later) located in /etc/sysconfig/selinux. Change the value to permissive, and then save-exit with wq:

Also, if SELinux is enabled and working in permissive or enforcing mode, you can switch modes by setenforce command without reboot.

PowerShell

1

2

3

4

5

6

[root@HQ-VC-Selinux01~]# setenforce enforcing

[root@HQ-VC-Selinux01~]# getenforce

Enforcing

[root@HQ-VC-Selinux01~]# setenforce permissive

[root@HQ-VC-Selinux01~]# getenforce

Permissive

Reboot is needed only if you are enabling or disabling SELinux to set or delete new object security labels.

CentOS SElinux How to:View logs

One of the crucial things to master SELinux are log messages. When working in permissive mode, SELinux will allow the actions, but write messages to log file, and in enforcing mode, this information will help in troubleshooting policies. In Red Hat and CenOS 7, the auditd package is installed by default. Log messages are written to /var/log/audit/audit.log file – and to view only SELinux messages, grep the file by the type – AVC:

In addition, similar messages are written in /var/log/message file. Grep it by SELinux:

PowerShell

1

[root@HQ-VC-Selinux01~]# cat /var/log/messages | grep selinux

CentOS SElinux How to: MAC, Modes and Types of SELinux

We know the basic operations, and able to view and edit main configuration file, view status and log messages of SELinux.It’s time for some theory to understand SELinux and a type of access control it’s implementing.

The first thing to remember – SELinux policies run after the traditional, discretionary access control. If the access is denied on the DAC level, and SELinux is allowing access, system will ignore SELinux policy and deny access.

After DAC, SELinux adds another access control system, MAC – Mandatory Access Control. MAC architecture adds the ability to enforce security policy over all processes and files in the system,

basing decisions on additional security context containing a variety of security-relevant information. Let’s check this additional security context and see the difference. You can view SELinux security context by issuing ls -Z command:

Permissive: SELinux policy is not enforced. SELinux will not deny access, but denials will be logged. This mode is the best for testing and troubleshooting SELinux.

Disabled: SELinux is disabled. Only DAC rules are applied

There are also two types of SELinux:

Targeted: Default setting in CentOS. Targeted policy means it is targeted on specific processes, and they run in confined environment called domains, and other processes run in unconfined domain. By default, subjects running in an unconfined domain cannot allocate writeable memory and execute it. This measure increase system vulnerability to buffer attacks

MLS: The Multi-Level Security is a security access scheme, that uses Bell-La Padula Mandatory Access Model. In MLS, there are subjects (users and processes) and objects (files, devices and etc). Both subjects and objects have a security label consisting of category and sensitivity. This topic will be covered in part 3 of CentOS SELinux howto.

CentOS SElinux How to: Security context

As we saw from the previous example, SELinux contexts follow the SELinux user:role:type:level syntax

SELinux User: This is the entity who is given the roles in SELinux policy. Selinux users are separated from the traditional linux users, and are mapped to them. This allows linux users inherit restrictions, placed on SELinux users. To view a list of mappings between users and SELinux users, install policycoreutils-python and use semanage login -l command:

PowerShell

1

2

3

4

5

6

7

[root@HQ-VC-Selinux01~]# semanage login -l

Login Name SELinux User MLS/MCS Range Service

__default__ unconfined_u s0-s0:c0.c1023*

root unconfined_u s0-s0:c0.c1023*

system_u system_u s0-s0:c0.c1023*

Role: Role is a connection between Who is granted access (Selinux user) and to What is granted access (domain). It defines what domains or object types can be accessed.

Type: The type is an attribute of Type Enforcement. The type defines a domain for processes, and

a type for files. SELinux policy rules define how types can access each other.

Level: This entity is for MLS. It contains a pair of values (low-high), or just one value, if the values are identical. Each value is a pair of case-sensitivity. We will cover this in more details in the Part 3.

So, we have figured out why we need SELinux running, learned some theory basis and basic operations. In the Part 2 of the series, we will learn more about settings of SELinux targeted policy called Booleans, describe troubleshooting steps and see some real-world examples.